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(54) Method and apparatus for encrypting data 

(57) In the process of compressing and encrypting 
data, without increase of a processing time, a cipher 
capability is secured against the latest cryptanalysis 
such as differential and linear cryptanalyses. The differ- 
ential and linear cryptanalyses are executed to collect 
plural pair of plaintext and cryptosystem for the same 
key and perform the statistical operation for estimating 
the key. An I/O process (102) is executed to receive 
plaintext data (111) and generate a random number 
(104). Then, an operation is executed to generate a dif- 
ferent key for each data on the random number (105) 



and set the key to a work key (115). The encrypted 
intermediate result or the pre-encrypted result (108) is 
fed back for frequently changing the work key (115). 
These series of operations makes it possible to protect 
the ciphertext from the differential and the linear cryp- 
tanalyses. On the work key, the changing operation 
(106) is executed to change correspondence (114) 
between the plaintext data and the compressed data in 
the compressing process (107), for providing the com- 
pression with the encryption. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates to data encryption, 
and more particularly to the improvements in process- 
ing efficiency of encryption and cipher strength to any 
cryptanalysis. Furthermore, the present invention 
relates to the encryption involving data compression 
and more particularly to the improvements in process- 
ing efficiency of data compression and encryption and 
strength to cryptanalysis. 

With increase of the computerized central informa- 
tion of a system and the data communication through a 
network, importance is now being placed on a tech- 
nique of encrypting data for keeping the computerized 
data from being tapped and tampered. As described in 
pages 27 to 32 of "Introduction to Cryptography Theory" 
Kyoritu edit., 1993, the encryption is roughly divided into 
a symmetric key cryptosystem and an asymmetric key 
cryptosystem. The present invention is intended for the 
improvement in symmetric cryptosystem which is suita- 
ble for encrypting a large amount of data. Later, a secret 
key cryptosystem is simply called cryptosystem. 

At first, the description will be oriented to the basic 
terms about the cryptosystem. As is described in pages 
33 to 59 of the foregoing writing, the cryptosystem is 
executed to convert plaintext into ciphertext through 
secret parameters. The decryptosystem is executed to 
transform the ciphertext into the original plaintext 
through the effect of reverse transform with the same 
secret parameters as those used in the cryptosystem. 
The secret parameters are generally called a crypt-key 
(or just a key). The encrypting procedure is composed 
of repetition of one or more kinds of fundamental func- 
tions. The repetitive times are called rounds. In applying 
the encrypting procedure, the input data is divided into 
parts each of which has the same size and the encrypt- 
ing procedure is applied to each data part. Each data 
part is called a crypt-block (or just a block). 

In designing and promoting the encryption, an 
important factor is a defense for various kinds of 
decrypting methods. The most frequently used decrypt- 
ing method is an extensive search for keys. In recent 
days, however, remarks are placed on more efficient dif- 
ferential cryptanalysis and linear cryptanalysis than the 
extensive search. 

In the pages 1 63 to 1 66 of the aforementioned writ- 
ing and the linear cryptanalysis of the DES (Data 
Encryption Standard) published in "The 1993 Sympo- 
sium on Cryptography and Information Security", the 
differential and the linear cryptanalyses utilize the corre- 
lation among the plaintext, the ciphertext, and the keys, 
which are proper to the encrypting system, and is exe- 
cuted to collect lots of inputs and outputs (plaintext and 
ciphertext) to be encrypted or decrypted by the same 
key and perform the statistical operation about these 
inputs and outputs for estimating the key. 

The conventional method for defending the differen- 



tial or linear cryptanalysis in the conventional encrypting 
system is executed to reduce the correlation among the 
plaintext, the ciphertext, and the key by increasing the 
rounds. 

5 

SUMMARY OF THE INVENTION 

The processing time of encryption or decryption is 
proportional to the rounds. The defense for the differen- 
ce tial and the linear cryptanalyses through the effect of the 
increase of the rounds entails a large shortcoming, that 
is, the increase of the processing time. Hence, it is an 
object of the present invention to improve the process- 
ing performance and the security of the cryptosystem 

15 by establishing the method for protecting ciphertext 
from the differential and the linear cryptanalyses without 
increasing the processing time. 

As described above, the differential and the linear 
cryptanalyses are executed to collect lots of inputs and 

20 outputs (plaintext and ciphertext) encrypted and 
decrypted through the same key and perform a statisti- 
cal operation about the inputs and outputs for estimat- 
ing the key. In accordance with a first aspect of the 
present invention, an information processing method 

25 includes the steps of entering or receiving a plaintext 
and encrypting the plaintext, wherein the method uti- 
lizes as a key of a block of the plaintext an intermediate 
result given in the process of encrypting another block 
or a value derived on the intermediate result. This 

30 method uses a different key to each block depending 
upon the plaintext data. The present method thus disal- 
lows execution of the foregoing statical operation and 
allows the ciphertext to be protected from the differential 
and the linear cryptanalyses. 

35 The foregoing first method disables to use the inter- 
mediate result given in the process of encrypting 
another block for the first block of the plaintext to be 
encrypted. Hence, the key is constant. The first method, 
therefore, allows the key of the first block to be esti- 

40 mated by collecting the inputs and the outputs of the 
first block over lots of plaintext and the overall ciphertext 
to be cryptanalyzed with the estimated key as a clue. In 
order to overcome this problem, in accordance with a 
second aspect of the present invention, an information 

45 processing method includes the steps of entering or 
receiving the plaintext and encrypting the plaintext, 
wherein the method of the second aspect is executed to 
generate a random number for each plaintext and use 
the random number as the key of the first block of the 

so plaintext to be encrypted. This second method, there- 
fore, has a different key of the first block to each plain- 
text and thus enables to overcome the problem of the 
foregoing first method. 

Further, the encryption is often executed in associ- 

55 ation with data compression. As is described in pages 
21 to 247 of "The Data Compression Book" in Japanese 
Toppan (1994), the compression is executed to replace 
a bit train of the plaintext with a shorter bit train. A plu- 
rality of correspondences are provided between the bit 
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trains of the block of the plaintext and the compressed 
data. In accordance with a third aspect of the invention, 
the information processing method includes the steps of 
entering or receiving data and compressing the data, 
wherein the method of the third aspect is executed to 5 
determine the correspondence between the bit trains of 
the block of the plaintext and the compressed data 
depending upon the intermediate result given in the 
process of encrypting another block. The third aspect 
method, therefore, enables to change the correspond- w 
ence between the bit train of the block of the plaintext 
and the bit train of the compressed data for each block 
depending upon the plaintext data. Further, the interme- 
diate result given in the process of encrypting the data 
cannot be estimated if the key is obtained. It is therefore 15 
impossible to grasp how the correspondence between 
the bit train of the block of the plaintext and the bit train 
of the compressed data is changed unless the key is 
obtained. The third aspect method, therefore, enables 
to use the compression as a kind of cryptosystem, offer 2 o 
the same effect as the increase of the rounds, and 
thereby prevent the differential and the linear cryptan- 
alyses. 



BRIEF DESCRIPTION OF THE DRAWINGS 



DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 



25 



Fig. 1 is a block diagram showing a functional con- 
figuration according to a first embodiment of the 
present invention; 

Fig. 2 is a flowchart showing an operation of a con- 30 
trol process executed in the method and the appa- 
ratus according to the first embodiment of the 
present invention; 

Fig. 3 is a diagram showing a Huffman tree indicat- 
ing correspondence between plaintext data and 35 
compressed data used according to the first 
embodiment of the present invention; 
Fig. 4 is a diagram showing a transformation of the 
Huffman tree used in the method and the apparatus 
according to the first embodiment of the present 40 
invention; 

Fig. 5 is a block diagram showing a functional con- 
figuration according to a second embodiment of the 
present invention; and 

Fig. 6 is a flowchart showing an operation of a con- 45 
trol process executed in the method and the appa- 
ratus according to the second embodiment of the 
present invention. 



50 



Two embodiments of the present invention will be 
described with reference to Figs. 1 to 6. 

Fig. 1 is a functional arrangement of the first 55 
embodiment of the present invention. A block 101 
denotes a completed information processing system. A 
block 102 is a process implemented by a central 
processing unit and an input/output (I/O) unit. The block 



102 includes an I/O portion 103, a control portion 104, a 
random number generating portion 105, a key generat- 
ing portion 106, a correspondence changing portion 
107, a compressing portion 108. a pre-encrypting por- 
tion 109, and a post-encrypting portion 1 10. A block 1 1 1 
is a storage unit such as a RAM or a disk and stores 
plaintext data 112, random numbers 113, common keys 
114, information regarding correspondences 115, work 
keys 1 16, and compressed and encrypted data 1 1 7. 

The I/O portion 103 receives a plaintext data from 
the outside and puts it in the memory 111. Further, the 
I/O portion 103 receives a compressing and encrypting 
instruction and passes it to the control portion 104. On 
the other hand, the I/O portion 103 reads the com- 
pressed and encrypted data 1 1 7 from the memory 1 1 1 
and outputs it to the outside. When the control portion 
104 receives the compressing and encrypting instruc- 
tion from the I/O portion 103, the control portion 104 
starts the random number generating portion 105 for 
generating a random number and then starts the key 
generating portion 106 for generating a work key. Next, 
the control portion 1 04 reads the plaintext data 1 1 2 from 
the memory 1 1 1 and iteratively executes the five proc- 
esses including the compression 108, the pre-encryp- 
tion 109, the post-encryption 110, the correspondence 
change 107, and the work key change, thereby com- 
pressing and encrypting the plaintext data. The control 
portion 1 04 will be discussed below. 

In order to implement the random number generat- 
ing portion 105, it is possible to use the conventional 
method for generating a random number as is 
described in pages 61 to 86 of Japanese literature 
"Introduction to Cryptography Theory", Kyoritu edition 
(1993). As an example, this method is executed to set a 
proper initial value to a random number 1 13 in the mem- 
ory 111, read the previous random number 113 each 
time the random number generating portion 105 is 
started, apply the cryptanalysis to the previous random 
number 113 inside of the random number generating 
portion 105, and set the encrypted result as a new ran- 
dom number. Further, the random number 113 in the 
memory 1 1 1 is replaced with a new random number. 

The key generating portion 106 is executed to gen- 
erate the work key 116 from the random number 113 
and the common key 1 14. The work key 1 1 6 is executed 
by the method as described in Institution for Electronic, 
Information and Communication Engineers, Transac- 
tions, Vol. E74, No. 8, pp2153 to 2159. 

The correspondence changing portion 107 is exe- 
cuted to change the correspondence 115 between the 
bit trains of the plaintext data and the compressed data 
on the work key. A specific example of the correspond- 
ence depends on a specific compression 108. In this 
embodiment, the compressing portion 108 utilizes the 
Huffman compression. The correspondence between 
the bit trains of the plaintext and the compressed data in 
the process of the Huffman compression is represented 
by tree-structure data called a Huffman tree. This Huff- 
man tree is changed with the change of the correspond- 
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ence 107. The correspondence changing portion 107 
will be discussed below. 

The compressing portion 108 utilizes the Huffman 
compression as mentioned above. According to the 
Huffman tree of the correspondence 1 1 5, the bit train of 
the plaintext data is replaced with the bit train of the 
compressed data for compressing the plaintext data. 
The Huffman compression is realized by the conven- 
tional method as described in pages 21 to 103 of "Data 
Compression Handbook", Toppan 1994. 

The pre-encrypting portion 109 is executed to 
encrypt the data with the work key 1 16 as a parameter 
as described in the pages 33 to 59 of "Introduction to 
Cipher Theory", Kyouritu, edition., 1993. Like the pre- 
encrypting portion 109, the post-encrypting portion 110 
is executed to encrypt the data with the work key 1 1 6 as 
a parameter by the conventional method. 

Fig. 2 shows the detail of the operation of the con- 
trol portion 104. At a step 201 , the random number gen- 
erating portion 105 is started for generating a random 
number. At a step 202, the key generating portion 106 is 
started for generating the work key and then setting the 
initial value of the work key 1 1 6. Then, at a step 203, the 
control portion 104 reads the plaintext data 112- 

At a step 204, when the compressing portion 108 is 
started, the next symbol of the plaintext data is com- 
pressed. Herein, for compressing the plaintext data, the 
compressing portion 108 is executed to transform the 
symbol (bit train) of the plaintext data into the com- 
pressed bit train according to the correspondence 115. 
At a step 205, it is determined if more of the com- 
pressed data than the block size for cryptanalysis is 
stored. If so, the operation goes to a step 206. If the 
compressed data is less than the block size, the opera- 
tion of the step 204 is repeated. 

At a step 206, one block of the compressed data is 
applied to the pre-encrypting portion 109 for encrypting 
the block. The pre-encrypting portion 109 uses the work 
key 1 16 as a parameter. At a step 207, the result of the 
pre-encrypting portion 109 is stored. At a step 208, the 
pre-encrypted result is applied to the post-encrypting 
portion 110 for encrypting it. Herein, like the pre- 
encrypting portion 109, the post-encrypting portion 110 
uses the work key 1 16 as a parameter. Then, the addi- 
tional data of the work key to the compressed and 
encrypted data is stored as the compressed and 
encrypted data 1 1 7 in the memory 111. 

At a step 209, the correspondence 1 15 between the 
bit trains of the plaintext data and the compressed data 
is changed on the pre-encrypted result. At a step 210, 
the work key 116 is replaced with the pre-encrypted 
result. Then, at a step 21 1 , it is determined if the overall 
plaintext data is processed. If yes, the process is termi- 
nated. If no, the operation goes to a step 212. 

At the step 212, it is determined if a given number 
of encrypting blocks are processed. If yes, the operation 
returns to the step 201. If no, the operation returns to 
the step 204. The reason why the operation returns to 
the step 201 will be described below. Computer pro- 



grams implementing the steps of Fig. 2 may be stored in 
a recording medium such as a semiconductor memory, 
a floppy disk or a CD-ROM. 

In this embodiment, the intermediate result (pre- 

5 encrypted result) in the process of encrypting one block 
is made to be a parameter for compressing and encrypt- 
ing the next block. In decompressing and restoring the 
compressed and encrypted data that is an output of this 
embodiment, it is necessary to use the same parameter 

w as that used in compressing and encrypting the data. 
Hence, the intermediate result given in the process of 
decrypting one block is required to be set as a parame- 
ter for decrypting and decompressing the next block. 
Hence, if one erroneous bit appears in the compressed 

15 and encrypted data while the data is communicated or 
stored in a file, the intermediate result in the decrypted 
block containing the erroneous bit is made erroneous. 
As a result, the parameter for decrypting and decom- 
pressing the next block is made erroneous. This error is 

20 propagated to the last block of the data. 

The improvement in the error correcting technique 
of the communication and the file storage results in sub- 
stantially protecting an application layer for which the 
present invention is intended, from being erroneous. 

25 Hence, the error propagation is negligible in any system 
to which the present invention applies. However, the 
applied systems may be provided where no error cor- 
rection is done. If the present invention is applied to 
such systems, it is necessary to restrict the number of 

30 the error propagated blocks. 

The foregoing returning operation from the steps 
212 to 201 meets with this requirement. That is, if the 
number of the error propagated blocks reaches a given 
value, at the steps 201 and 202, the operation is exe- 

35 cuted to reset the work key to a value that is independ- 
ent of the intermediate result in the encryption of the 
previous block, which makes it possible to avoid the 
error propagation. 

Next, with reference to Figs. 3 and 4, the operation 

40 of the correspondence changing portion 107 will be 
described. In the Huffman compression, the corre- 
spondence 115 between the bit trains of the plaintext 
data and the compressed data is represented by the 
Huffman tree. Fig. 3 shows an example of a Huffman 

45 tree. This Huffman tree is a binary tree in which a right 
and a left branches are spread at each intermediate 
node. The right and the left branches contain a value of 
0 or 1 , respectively. The end node represents one sym- 
bol of the plaintext data. The connection of the branch 

so values from the end node to the root node represents a 
bit train of the compressed data for the symbol repre- 
sented by the end node. For example, the bit train of the 
compressed data for i is 1000 and the bit train of the 
compressed data for h is 010. 

55 The correspondence changing portion 107 is 
started by the control portion 104. The correspondence 
changing portion 107 is executed to add numbers to the 
intermediate nodes of the Huffman tree. Specifically, the 
nodes are numbered in such a manner that a first is 
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added to the root node, a second and a third are added 
to a second-stage node from left to right, a fourth and a 
fifth are added to a third-stage node from left to right, 
and so forth. That is, the numbering is executed from 
top to down and from left to right. Then, the values given 
to the right and the left branches of the intermediate 
node are replaced with each other according to the work 
key. Specifically, if the i-th bit of the work key is 1 , the 
values given to the right and the left branches of the i-th 
intermediate node are replaced with each other, (if it is 
zero, no replacement is done.) 

In Fig. 4, a block 401 indicates a transformation of 
the Huffman tree shown in Fig. 3 on the assumption that 
the work key is 1100100... A block 402 indicates a trans- 
formation of the Huffman tree shown in the block 401 on 
the assumption that the work key is 1010110... The 
work key is assumed to have a sufficiently large number 
of bits and if any bit of the work key exceeds the inter- 
mediate node number of the Huffman tree, the bit is 
ignored in the correspondence changing portion 107. 

The foregoing description is concerned with the first 
embodiment of the present invention. The conventional 
encrypting method has been arranged to secure more 
rounds for preventing the linear and the differential cryp- 
tanalyses. This preventing method, however, has a 
drawback of increasing the processing time. On the 
other hand, the method of the foregoing embodiment 
has been arranged to change the work key for each 
block. This change makes it impossible to perform a sta- 
tistical operation for estimating the key, thereby keeping 
the ciphertext data from the differential and the linear 
cryptanalyses. The work key for each block is an inter- 
mediate result given in the process of encrypting the 
previous block. This method, hence, does not need an 
extra processing time for changing the work key. As 
described above, the method of this embodiment ena- 
bles to prevent the differential and the linear cryptan- 
alyses without any increase of the processing time, 
thereby improving the cipher performance and the 
strength capability to the cryptanalysis. 

Further, according to the first embodiment, in the 
compressing process, the correspondence between the 
plaintext data and the compressed data may be 
changed for each block depending on the intermediate 
result given in the process of encrypting the previous 
block. The intermediate result cannot be estimated 
unless the key is obtained. It means that the corre- 
spondence between the plaintext data and the com- 
pressed data is not estimated. The method of this 
embodiment can use the compression as a kind of 
encryption. The compression may present the same 
effect as the increase of the rounds and be used for kee- 
pig the ciphertex data from the differential and the linear 
cryptanalyses. 

Fig. 5 shows a functional arrangement of a method 
according to a second embodiment of the present 
invention. This is intended for decrypting and decom- 
pressing the encrypted data compressed by the method 
of the first embodiment for obtaining the original plain- 
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text data. A block 501 denotes a completed information 
processing system. A block 502 denotes a process 
implemented by a central processing unit and an I/O 
unit, which process includes an I/O portion 503, a con- 

5 trol portion 504, a random number reading portion 505, 
a key generating portion 506, a correspondence chang- 
ing portion 507, a decompressing portion 508, a pre- 
decrypting portion 509, and a post-decrypting portion 
510. A block 1 1 1 denotes a memory realized by a RAM, 

70 a disk, or the like. The memory 1 1 1 stores compressed 
and encrypted data 512, a random number 513, a com- 
mon key 514, a correspondence 515, a work key 516, 
and plaintext data 51 7. 

The I/O portion 503 is executed to apply the com- 

75 pressed and encrypted data from the outside and store 
it in a memory 51 1 . At a time, the I/O portion 503 is exe- 
cuted to receive a decrypting and decompressing 
instruction and pass it to the control portion 504. On the 
other hand, the I/O portion 503 is also executed to read 

20 the plaintext data 51 7 from the memory 51 1 and put it to 
the outside. When the control portion 504 receives the 
decrypting and decompressing instruction from the I/O 
portion 503, the control portion 504 is executed to start 
the random number reading portion 505 and read a ran- 

25 dom number added to the compressed and encrypted 
data 512. Then, the control portion 504 is executed to 
start the key generating portion 51 1 for generating the 
work key. Next, the control portion 504 is also executed 
to read the compressed and encrypted data 512 from 

30 the memory 51 1 and repeat five operations comprised 
of the pre-decryption 509, the post -decryption 510, the 
decompression 508, the correspondence change 507, 
and the change of the work key, to decrypt and decom- 
press the compressed and encrypted data. The control 

35 portion 504 will be discussed later in detail. 

The random number reading portion 505 is exe- 
cuted to read the random number added to the com- 
pressed and encrypted data 512. This random number 
has been used for generating the work key in the 

40 method of the first embodiment. 

The key generating portion 506 is executed to gen- 
erate a work key 516 from the random number 513 and 
the common key 514. The common key 514 has the 
same value as the common key 114 used in the first 

45 embodiment. Hence, since the random number and the 
common key are the same as those used in the first 
embodiment, the work key 516 to be generated by the 
method of the second embodiment is the same as the 
work key 116 used in the method of the first embodi- 

50 ment. 

The correspondence changing portion 507 is exe- 
cuted to change a correspondence 515 between the bit 
trains of the compressed data and the plaintext data on 
the basis of the work key. The concrete correspondence 
55 depends on the concrete decompression 508. The 
method of this, second embodiment uses the Huffman 
decompression for the decompressing portion 508. As 
described in pages 21 to 103 of "The Data Compression 
Book" Toppan (1994), the Huffman decompression is a 
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reverse transform of the Huffman compression. Like the 
first embodiment, the correspondence between the bit 
trains of the compressed data and the plaintext data is 
represented by a Huffman tree. Hence, the correspond- 
ence changing portion 507 is executed to change the 
Huffman tree in a similar manner to the correspondence 
changing portion 107 included in the method of the first 
embodiment. Since the correspondence changing por- 
tion 507 uses the same work key and method of chang- 
ing the Huffman tree as those used in the method of the 
first embodiment, the changed Huffman tree is the 
same as that of the first embodiment. 

The decompressing portion 508 is executed to per- 
form the Huffman decompression as mentioned above. 
That is, according to the Huffman tree of the corre- 
spondence 515, the bit train of the compressed data is 
replaced with that of the plaintext data to decompress 
the compressed data. The decompressing portion 508 
is a reverse transform of the compressing portion 108 
and uses the same Huffman tree as that of the first 
embodiment. Hence, the decompressing portion 508 
enables to transform the data compressed by the 
method of the first embodiment back to the original 
data. 

The pre-decrypting portion 509 is a reverse trans- 
form of the post-encrypting portion included in the 
method of the first embodiment. The pre-decrypting 
portion 509 is executed to decrypt the data with the 
work key 51 6 as a parameter. The post-decrypting por- 
tion 510 is a reverse transform of the pre-encrypting 
portion included in the method of the first embodiment. 
The post-decrypting portion 510 is executed to decrypt 
the data with the work key 516 as a parameter. As men- 
tioned above, in the second embodiment, the pre- 
decryption is a reverse transform of the post- encryption 
included in the first embodiment, the post-decryption is 
a reverse transform of the pre-encryption therein, and 
the same work key as that of the first embodiment is 
used for the decryption. Hence, the method of the sec- 
ond embodiment enables to decrypt the compressed 
and encrypted data into the compressed data. 

Fig. 6 shows the detail of the operation of the con- 
trol portion 504. At a step 601 , the operation is executed 
to start the random number reading portion 505 for 
reading the random number. At a step 602, the key gen- 
erating portion 506 is started for generating the work 
key. As a result, the initial value of the work key 516 is 
set as the same value as the initial value of the work key 
116 used in the first embodiment. Then, at a step 603, 
the operation is executed to read the compressed and 
encrypted data 512. 

At a step 604, the pre-decrypting portion 509 is 
started for decrypting one block of the compressed and 
encrypted text. The pre-decrypting portion 509 uses the 
work key 516 as a parameter. At a step 605, the pre- 
decrypted result is stored. The pre-decrypting portion 
509 is a reverse transform of the post-decrypting portion 
110 included in the first embodiment- Hence, the pre- 
decrypted result has the same value as the value imme- 



diately before the post-decryption performed in the first 
embodiment, that is, the pre-decrypted result. At a step 
606, the post-decrypting portion 510 is started to further 
decrypt the result of the pre-decrypting portion 509. The 

5 post -decrypting portion 5 1 0 is a reverse transform of the 
pre-decrypting portion 110 included in the first embodi- 
ment. Hence, the post-decrypted result is the same as 
the value immediately before the pre-decryption per- 
formed in the first embodiment, that is, the compressed 

10 text of one block obtained by the compressing portion 
108. 

At a step 607, the decompressing portion 508 is 
started to decompress one symbol from the head of the 
compressed text of one block. The decompressing por- 

75 tion 508 is a reverse transform of the compressing por- 
tion 108 included in the first embodiment. As mentioned 
above, the Huffman tree for representing the corre- 
spondence between the compressed text and the plain- 
text is the same as the tree used in the first 

20 embodiment. At the step 607, the operation is executed 
to obtain the value before the compression, that is, the 
symbol of the plaintext used in the first embodiment. At 
a step 608, it is determined if the remains of the com- 
pressed data of one block are larger than or equal to 

25 one symbol of the plaintext. If yes, the operation returns 
to the step 607 at which the decompression is repeated. 
If no, the operation returns to the step 609. At this step, 
the operation is executed to store the remaining data of 
one block of the compressed text and add it to the head 

30 of the next block of the compressed text if the block is 
obtained. 

At the step 609, the correspondence changing por- 
tion 507 is started for changing the correspondence 
515, that is, the Huffman tree depending on the pre- 
ss decrypted result. The pre-decrypted result is the same 
as the result pre-encrypted by the first embodiment. The 
correspondence 515 before change is the same as the 
correspondence 115 of the first embodiment. Hence, 
the correspondence 515 is the same as that of the first 
40 embodiment even after the correspondence 515 is 
changed. At a step 610, the work key 516 is replaced 
with the pre-decrypted result. The pre-decrypted result 
has the same value as the pre-encrypted result used in 
the method of the first embodiment. Hence, the work 
45 key 516 has the same value as that used in the method 
of the first embodiment even after it is changed. 

At a step 611, it is determined if the overall data of 
the compressed and encrypted text is processed. If yes, 
the operation is terminated. If no, the operation goes to 
so a step 612. At this step 612, it is determined if a given 
number of blocks have been processed. If yes, the oper- 
ation returns to the step 601 at which the random 
number is newly read from the compressed and 
encrypted text 512. If no, the operation returns to the 
55 step 604 at which the the next block of the compressed 
and encrypted data is decrypted. The number of blocks 
used for the determination at the step 612 is set as the 
same value as that used in the method of the first 
embodiment. As a result, the period of updating the ran- 
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dom number is the same as that used in the method of 
the first embodiment. 

Computer programs for implementing the steps of 
Fig. 6 may be stored in a recording medium to be 
loaded in the system. 

The foregoing description has been concerned with 
the second embodiment. As described above, accord- 
ing to the second embodiment, the method has been 
arranged to decompress and decrypt the data com- 
pressed and encrypted by the method of the first 
embodiment for recovering the original plaintext data. 
Many of the currently used encryptions are arranged to 
repeat the fundamental functions for encrypting the 
plaintext data or repeat the reverse functions of those 
fundamental functions for decrypting the ciphertext 
data. The repetitive times of the reverse functions used 
in the decryption are equal to the repetitive times of the 
functions used in the encryption. The method of the first 
embodiment has been arranged to cope with the differ- 
ential and the linear cryptanalyses without having to 
increase the rounds (repetitive times of the fundamental 
functions). Hence, the method of the second embodi- 
ment does not need to increase the rounds for the 
decryption. As described above, the methods of the first 
and the second embodiments enable to encrypt the 
data and decrypt it as keeping the high-level encryption 
without having to increase the processing time. 

As is obvious from the foregoing description, the 
method according to the present invention is arranged 
to prevent the differential and the linear cryptanalyses 
without increasing the processing time in the encrypting 
process and the compressing and encrypting process. 
This makes it possible to improve the processing per- 
formance and the cipher strength to the differential and 
linear cryptanalyses. The information processing sys- 
tem according to the present invention may include a 
usually used hardware or software means for allowing 
down-loading of the programs implementing the steps 
of Fig. 2 and/or Fig. 6. 

Claims 

1. An information processing method (101) compris- 
ing the steps of: entering or receiving data; provid- 
ing as a parameter (1 16) for encrypting a portion of 
said data, an intermediate result given in the proc- 
ess of encrypting another portion of said data or a 
value derived on the intermediate result; and 
encrypting said data using said parameter. 

2. An information processing method (101) including 
the steps of: entering or receiving data; dividing 
said data into plural blocks, and sequentially 
encrypting said blocks through said encrypting 
step; providing as a parameter (116) for encrypting 
one of said blocks an intermediate result(s) given in 
the process of encrypting one or more blocks previ- 
ous to said block or a value(s) derived on the inter- 
mediate result(s); and encrypting each of said 
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blocks using said parameter to encrypt said data. 

3. An information processing method (101) compris- 
ing the steps of: entering or receiving data, dividing 

s said data into plural blocks, and encrypting said 

blocks in parallel through the effect of said encrypt- 
ing step, 

said encrypting step comprising using as a 
w parameter (116) for encrypting one of said 

blocks at a time point on a processing process 
a calculated one at said time point of intermedi- 
ate results given in the process of encrypting 
one or more blocks rather than said block or a 
75 value derived on said calculated intermediate 

result. 

4. An information processing method (101) compris- 
ing the steps of: entering or receiving data, com- 

20 pressing said data, and encrypting said 
compressed data, 

said data encrypting step comprising determin- 
ing a correspondence (115) between a bit train 
25 of a portion of said data to be compressed and 

a bit train of a portion of the compressed data 
depending on an intermediate result given in 
the process of encrypting another portion of 
said data. 

30 

5. An information processing method comprising the 
steps of: entering or receiving data, compressing 
said data, encrypting said compressed data, divid- 
ing said data into plural blocks, and sequentially 

35 compressing and encrypting said blocks through 
the effect of said compressing step and said 
encrypting step, 

said data encrypting step comprising determin- 
40 ing a correspondence (115) between a bit train 

of a block of said data to be compressed and a 
bit train of the compressed data on an interme- 
diate result given in the previous encrypting 
process of one or more compressed and 
45 encrypted blocks. 

6. An information processing method comprising the 
steps of: entering or receiving data, compressing 
said data, encrypting said compressed data, divid- 

so ing said data into plural blocks, and compressing 
and encrypting said blocks in parallel through the 
effect of said compressing step and encrypting 
step, 

55 said encrypting step comprising determining a 

correspondence (115) between a bit train of a 
block of the data to be compressed and a bit 
train of the compressed data on a calculated 
one at the time point of intermediate results 



7 




EP 0 793 



given in the previous encrypting process of one 
or more blocks rather than said target block. 

7. An encrypting method as claimed in claim 1, 
wherein the operation at said encrypting step (201 s 
to 212) is composed of n processes, wherein ml, 
m2, .... mk is an integer of 1 < mk < n and the inter- 
mediate result in said encryption is an ml-th proc- 
essed result, an m2-th processed result, an mk- 

th processed result. 10 

8. An encrypting method as claimed in claim 2, 
wherein the operation at said encrypting step (201 
to 212) is composed of n processes, wherein ml, 
m2,... mk is an integer of 1 < mk < n and the inter- 15 
mediate result is said encrypting process is an ml- 
th processed result, an m2-th processed result, .... 

an mk-th processed result. 

9. An encrypting method as claimed in claim 3, 20 
wherein the operation at said encrypting step (201 

to 212) is composed of n processes, wherein ml, 
m2, mk is an integer of 1 < mk < n and the inter- 
mediate result in said encrypting process is an ml- 
th processed result, an m2-th processed result, .... 25 
an mk-th processed result. 

10. An encrypting method as claimed in claim 4, 
wherein the operation at said encrypting step (201 

to 212) is composed of n processes, wherein ml, 30 
m2 mk is an integer of 1 < mk < n and the inter- 
mediate result in said encrypting process is an ml- 
th processed result, an m2-th processed result, .... 
an mk-th processed result. 

35 

11. An encrypting method as claimed in claim 5, 
wherein the operation at said encrypting is com- 
posed of n processes, wherein ml , m2, .... mk is an 
integer of 1 < mk < n and the intermediate result in 
said encrypting process is an m1-th processed 40 
result, an m2-th processed result, ,.,an mk-th proc- 
essed result. 

12. An encrypting method as claimed in claim 6, 
wherein the operation at said encrypting step is 45 
composed of n processes, wherein ml, m2 mk 

is an integer of 1 < mk < n and the intermediate 
result in said encrypting process is an m1-th proc- 
essed result, an m2-th processed result, an mk- 
th processed result. so 

13. An encrypting method as claimed in claim 1, 
wherein at a time point on the process, said param- 
eter (116) for encryption or said correspondence 
(115) between the bit train of said input data and 55 
the bit train of said compressed data is changed 
into a value that does not depend on the intermedi- 
ate result given in said encrypting process. 




14. An encrypting method as claimed in claim 2, 
wherein at a time point on the process, the param- 
eter (116) for encryption or the correspondence 
(115) between the bit train of the input data and the 
bit train of the compressed data is changed into a 
value that does not depend on the intermediate 
result given in said encrypting process. 

15. An encrypting method as claimed in claim 3, 
wherein at a time point on the process, the param- 
eter (116) for encryption or the correspondence 
(115) between the bit train of the input data and the 
bit train of the compressed data is changed into a 
value that does not depend on the intermediate 
result given in said encrypting process. 

16. An encrypting method as claimed in claim 4, 
wherein at a time point on the process, the param- 
eter (116) for encryption or the correspondence 
(115) between the bit train of the input data and the 
bit train of the compressed data is changed into a 
value that does not depend on the intermediate 
result given in said encrypting process. 

17. An encrypting method as claimed in claim 5, 
wherein at a time point on the process, the param- 
eter (116) for encryption or the correspondence 
(115) between the bit train of the input data and the 
bit train of the compressed data is changed into a 
value that does not depend on the intermediate 
result given in said encrypting process. 

18. An encrypting method as claimed in claim 6, 
wherein at a time point on the process, the param- 
eter (116) for encryption or the correspondence 
(115) between the bit train of the input data and the 
bit train of the compressed data is changed into a 
value that does not depend on the intermediate 
result given in said encrypting process. 

19. An encrypting method as claimed in claim 7, 
wherein at a time point on the process, the param- 
eter (116) for encryption or the correspondence 
(115) between the bit train of the input data and the 
bit train of the compressed data is changed into a 
value that does not depend on the intermediate 
result given in said encrypting process. 

20. An information excrypting method (101) compris- 
ing: the steps of; entering or receiving data and 
encrypting said data, said data encrypting step 
comprising generating a random number (105); and 
setting said random number or a value derived on 
said random number as a parameter for encrypting 
said data (106). 

21. An encrypting method as claimed in claim 20, 
wherein said random number is generated by repet- 
itively performing an encrypting process about an 
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22. An encrypting method as claimed in claim 20, 
wherein plural random numbers are generated by 
repetitively performing the operation of the step for 
generating said random number and said random 
numbers are set as parameters for encrypting vari- 
ous portions of said data. 

23. An encrypting method as claimed in claim 21, 
wherein plural random numbers are obtained by 
repetitively performing the operation of the step for 
generating the random number and said random 
numbers are bet as parameters for encrypting vari- 
ous portions of said data. 

24. An encrypting method as claimed in claim 20, 
wherein the parameter for encrypting said data or 
the information required for deriving the parameter 
is added to the encrypted data. 

25. An encrypting method as claimed in claim 21, 
wherein the parameter for encrypting said data or 
the information required for deriving the parameter 
is added to the encrypted data. 

26. An encrypting method as claimed in claim 22, 
wherein the parameter for encrypting said data or 
the information required for deriving the parameter 
is added to the encrypted data. 

27. An encrypting method as claimed in claim 20, 
wherein the parameter for encrypting said data or 
the information required for deriving the parameter 
is used for decrypting said encrypted data. 

28. An encrypting method as claimed in claim 21, 
wherein the parameter for encrypting said data or 
the information required for deriving the parameter 
is used for decrypting said encrypted data. 

29. An encrypting method as claimed in claim 22, 
wherein the parameter for encrypting said data or 
the information required for deriving the parameter 
is used for decrypting said encrypted data. 

30. An encrypting method as claimed in claim 24, 
wherein the parameter for encrypting said data or 
the information required for deriving the parameter 
is used for decrypting said encrypted data. 

31. An encrypting method as claimed in claim 27, 
wherein the operation of encrypting said data is 
executed by a different computer from the operation 
of decrypting said data, and the parameter for 
encrypting said data or the information required for 
deriving the parameter is communicated from the 
computer for executing the encryption to the other 
computer for executing the decryption. 
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32. An information processing apparatus (101) com- 
prising: 

means (103) for entering or receiving data; 
means (109, 110) for encrypting said data; 
means (116) for storing an intermediate result 
on the encrypting process given by said 
encrypting means (109, 110); and 
means (104) for entering said stored intermedi- 
ate result or a value that depends on said inter- . 
mediate result as a parameter to said 
encrypting means(109. 110). 

33. An information processing apparatus (101) com- 
prising: 

means (103) for entering or receiving data; 
means (109, 1 10) for encrypting said data; and 
means (104) for entering an intermediate result 
on the encrypting process given by said 
encrypting means (109) into the other encrypt- 
ing means (110) as a parameter. 



34. An information processing apparatus (101) com- 
25 prising: 



means (103) for entering data; 
means (108) for compressing said data, and 
means (109, 110) for encrypting said data; 
means (115) for storing an intermediate result 
on the encrypting process given - by said 
encrypting means; and 

means (104) for entering said stored intermedi- 
ate result or a value that depends on said inter- 
mediate result to said compressing means 
(108) as a parameter. 
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35. An information processing apparatus (101) com- 
prising: 

means (103) for entering or receiving data; 
means (108) for compressing said data and 
means (109, 110) for encrypting said data, said 
compressing means and said encrypting 
means being provided in plural pairs; and 
means (104) for entering an intermediate result 
on the encrypting process given by one of said 
plural pairs of compressing and encrypting 
means into the compressing means of the 
other pair as a parameter. 



36. An information processing apparatus as claimed in 
claim 32, further comprising means (107) for 
changing a value stored in said means (116) for 

55 storing the intermediate result on the encrypting 
process into a value that does not depend on the 
intermediate result on the encrypting process. 

37. An information processing apparatus as claimed in 
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claim 33, further comprising means (107) for 
changing a value stored in means (116) for storing 
said intermediate result on the encrypting process 
into a value that does not depend on said interme- 
diate result. 

38. An information processing apparatus as claimed in 
claim 34, further comprising means (107) for 
changing a value stored in means (116) for storing 
said intermediate result on the encrypting process 
into a value that does not depend on said interme- 
diate result. 

39. An information processing apparatus as claimed in 
claim 32, further comprising means (107) for calcu- 
lating or storing the value that does not depend on 
the intermediate result on the encrypting process 
and means (1 1 5) for entering the value as a param- 
eter to said encryoting means or compressing 
means. 

40. An information processing apparatus as claimed in 
claim 33, further comprising means (107) for calcu- 
lating or storing the value that does not depend on 
the intermediate result on the encrypting process 
and means (115) for entering said value as a 
parameter into said encrypting means or com- 
pressing means. 

41. An information processing apparatus as claimed in 
claim 34, further comprising means (107) for calcu- 
lating or storing the value that does not depend on 
the intermediate result on the encrypting process 
and means (115) for entering said value as a 
parameter into said encrypting means or com- 
pressing means. 

42. An information processing apparatus as claimed in 
claim 35, further comprising means (107) for calcu- 
lating or storing the value that does not depend on 
the intermediate result on the encrypting process 
and means (115) for entering said value as a 
parameter into said encrypting means or com- 
pressing means. 

43. An information encrypting apparatus comprising: 

means (103) for entering or receiving data; 
means (109, 110) for encrypting said data; 
means (105) for generating a random number; 
and 

means (113) for entering said random number 
of a value that does not depend on said ran- 
dom number into said encrypting means as a 
parameter. 

44. An information encrypting apparatus comprising: 

means (103) for entering or receiving data; 



first encrypting means (109, 110) for encrypt- 
ing said data; 

second encrypting means (110) for encrypting 
a value to be stored; 
5 means (104) for entering an output value of 

said second encrypting means or a value that 
does not depend on the output value as a 
parameter; and 

means (117) for storing an output value of said 
10 second encrypting means. 

45. An encrypting apparatus as claimed in claim 43, 
further comprising means (104) for adding said 
parameter or information required for calculating 

is said parameter to an output value from said first 
encrypting means. 

46. An encrypting apparatus as claimed in claim 44, 
further comprising means (104) for adding said 

20 parameter or information required for calculating 
said parameter to an output value from said first 
encrypting means. 

47. An encrypting apparatus as claimed in claim 43, 
25 further comprising means for decrypting data with 

said parameter or the information required for cal- 
culating said parameter. 

48. An encrypting apparatus as claimed in claim 44, 
30 further comprising means for decrypting data with 

said parameter or the information required for cal- 
culating said parameter. 

49. An encrypting apparatus as claimed in claim 45, 
35 further comprising means for decrypting data with 

said parameter or the information required for cal- 
culating said parameter. 

50. An encrypting apparatus as claimed in claim 44, 
40 wherein said first and second encrypting means are 

located in a different computer from said decrypting 
means, the computer having said encrypting 
means includes means for transmitting said param- 
eter or the information required for calculating said 
45 parameter, and the other computer having said 
decrypting means includes means for receiving 
said parameter or the information required for cal- 
culating said parameter. 

51. An information encrypting method (101) comprising 
the steps of: 

entering or receiving data; 
encrypting said data; and 
55 using as a parameter for encrypting a portion of 

said data an intermediate result on the process 
of encrypting another portion of said or a value 
that is calculated from said intermediate value. 
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52. An information encrypting method (101) comprising 
the steps of: entering or receiving data; encrypting 
said data; dividing said data into plural blocks; and 
sequentially encrypting said blocks through the 
effect of said encrypting step; and 

said data encrypting step comprising using 
as a parameter for encrypting a block intermediate 
results of one or more blocks encrypted before said 
block or a value that is calculated from said inter- 
mediate results. 

53. An information encrypting method comprising the 
steps of : 

entering or receiving data; 

encrypting said data, dividing said data into 

plural blocks; and 

encrypting said blocks in parallel through the 
effect of said encrypting step; and 
said data encrypting step comprising using as 
a parameter for encrypting a block at a time 
point on the process one or more calculated 
ones at the time point of the intermediate 
results on the process of encrypting one or 
more blocks rather than said block or one or 
more values that are calculated from said cal- 
culated intermediate results. 

54. An information encrypting method comprising the 
steps of: 

entering or receiving data, compressing said 
data, and encrypting said compressed data; 
said data encrypting step comprising determin- 
ing correspondence between a bit train of a 
portion of the input data to be compressed and 
a bit train of the compressed data on the inter- 
mediate result given in the process of encrypt- 
ing another portion of said data. 



w 
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one block of the input data to be compressed and a 
bit train of said compressed data at a time point on 
the process on the basis of the one(s) calculated at 
that time point, among the intermediate results of 
one or more encrypted blocks rather than said sub- 
ject block. 

57. A computer readable recording medium for storing 
programs implementing a data encrypting opera- 
tion comprising: 

program means for entering or receiving data; 
program means for providing as a parameter 
for encrypting a portion of said data, an inter- 
mediate result given in the process of encrypt- 
ing another portion of said data or a value 
derived on the intermediate result; and 
program means for encrypting said data using 
said provided parameter. 
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55. An information encrypting method comprising the 
steps of: entering or receiving data, compressing 
said data, encrypting said compressed data, divid- 
ing said data into blocks, and sequentially com- 
pressing and encrypting said blocks through the 
effect of said compressing and encrypting steps, 
and determining correspondence between a bit 
train of a block of the input data to be compressed 
and a bit train of the compressed data on the inter- 
mediate result of one or more compressed and 
encrypted blocks before said subject block. 

56. An information encrypting method comprising the 
steps of entering or receiving data, compressing 
said data, encrypting said compressed data, divid- 
ing said data into plural blocks, compressing and 
encrypting said blocks in parallel through the effect 
of said compressing and encrypting steps, and 
establishing correspondence between a bit train of 



58. A computer readable recording medium for storing 
programs implementing a data encrypting opera- 
tion comprising: 

25 program means for entering data; 

program means for compressing said data; 
program means for encrypting said com- 
pressed data; 

program means for storing an intermediate 
30 result on the encrypting process given by exe- 

cution of the encrypting program means; 
program means for entering said stored inter- 
mediate result or value that depends on said 
intermediate result to said compressing pro- 
35 gram means as a parameter. 

59. A data encrypting apparatus comprising a proces- 
sor, a work memory coupled with said processor, 
an input and output device operable with the proc- 

40 essor and the memory, and a communication inter- 
face for communicating with the outside, said 
interface including means for allowing down-load- 
ing of processor readable programs for implement- 
ing a data encrypting operation, said programs 

45 comprising: 

a program portion for entering or receiving 
data; 

a program portion for providing as a parameter 
so for encrypting a portion of said data, an inter- 

mediate result given in the process of encrypt- 
ing another portion of said data or a value 
derived on the intermediate result; and 
a program portion for encrypting said data 
55 using said provided parameter. 

60. A data encrypting apparatus comprising a proces- 
sor, a work memory coupled with said processor, 
an input and output device operable with the proc- 
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essor and the memory; and a communication inter- 
face for communicating with the outside, said 
interface including means for allowing down-load- 
ing of processor readable programs for implement- 
ing a data encrypting operation, said programs 5 
comprising: 



program means for entering data; 
program means for compressing said data; 
program means for encrypting said com- 10 
pressed data; 

program means for storing an intermediate 
result on the encrypting process given by exe- 
cution of the encrypting program means; 
program means for entering said stored inter- 15 
mediate result or value that depends on said 
intermediate result to said compressing pro- 
gram means as a parameter. 
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FIG. 6 
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